https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146294#M49170 <P>Hi,</P><P>I have Frontier FIOS and am currently using an ASA for my Internet router but want to use a PA-200 with a Cisco 891F behind it.&nbsp; The design looks like this:</P><P>&nbsp;</P><P>ISP(DHCP)----(e1/1)-PA-200-(e1/2)---891F (5 subnets)</P><P>&nbsp;</P><P>I set e1/1 untrust w/DHCP from the ISP and e1/2 trust w/static /30 to 891F.&nbsp; I also checked auto create default route to inject route from the ISP and setup Outbound NAT to any/any with no other security policies in place.&nbsp; I allowed ping on both interfaces for troubleshooting.</P><P>&nbsp;</P><P>I prefer not to use the PA-200 for DHCP, therefore, on the 891, I have multiple VLANs with DHCP processes doling out IP addresses/SM/GW/DNS.&nbsp; That works fine and all routing seems to be working, as well.&nbsp; Added a default route to exit the 891s interface connected to the PA-200.</P><P>&nbsp;</P><P>The PA-200 did acquire a DHCP address from the ISP.&nbsp; The trouble I'm having is that I cannot access the Internet from any deivce nor ping the untrusted interface ip.&nbsp; I am not using the ISPs router at all.&nbsp; I guess I am not sure if this is the best design to get this going so, if not, can someone point me in the right direction?&nbsp; I hope this makes sense.</P><P>&nbsp;</P><P>Thanks,<BR />Dan</P> Tue, 07 Mar 2017 01:53:19 GMT DRobinson_TIC 2017-03-07T01:53:19Z https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146294#M49170 <P>Hi,</P><P>I have Frontier FIOS and am currently using an ASA for my Internet router but want to use a PA-200 with a Cisco 891F behind it.&nbsp; The design looks like this:</P><P>&nbsp;</P><P>ISP(DHCP)----(e1/1)-PA-200-(e1/2)---891F (5 subnets)</P><P>&nbsp;</P><P>I set e1/1 untrust w/DHCP from the ISP and e1/2 trust w/static /30 to 891F.&nbsp; I also checked auto create default route to inject route from the ISP and setup Outbound NAT to any/any with no other security policies in place.&nbsp; I allowed ping on both interfaces for troubleshooting.</P><P>&nbsp;</P><P>I prefer not to use the PA-200 for DHCP, therefore, on the 891, I have multiple VLANs with DHCP processes doling out IP addresses/SM/GW/DNS.&nbsp; That works fine and all routing seems to be working, as well.&nbsp; Added a default route to exit the 891s interface connected to the PA-200.</P><P>&nbsp;</P><P>The PA-200 did acquire a DHCP address from the ISP.&nbsp; The trouble I'm having is that I cannot access the Internet from any deivce nor ping the untrusted interface ip.&nbsp; I am not using the ISPs router at all.&nbsp; I guess I am not sure if this is the best design to get this going so, if not, can someone point me in the right direction?&nbsp; I hope this makes sense.</P><P>&nbsp;</P><P>Thanks,<BR />Dan</P> Tue, 07 Mar 2017 01:53:19 GMT https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146294#M49170 DRobinson_TIC 2017-03-07T01:53:19Z https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146335#M49172 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/57579">@DRobinson_TIC</a>&nbsp;and welcome!&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Many things could be really :0 What do you see in the monitoring tab on the&nbsp;PA-200 when the client is attempting&nbsp;to access the internet? How&nbsp;do you have your security policy configured? Post&nbsp;the screenshot pls. Who provides the DNS for the clients, is it working (l guest it is ISP so security policy on PA should allow this).</P> Tue, 07 Mar 2017 08:56:43 GMT https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146335#M49172 TranceforLife 2017-03-07T08:56:43Z https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146340#M49174 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/57579">@DRobinson_TIC</a> and welcome !</P> <P>&nbsp;</P> <P>-There's a video that might help you:&nbsp;<A title="Tutorial: Firewall as a PPPoE or DHCP client " href="https://youtu.be/f79fRY9nyJc" target="_blank">Tutorial: Firewall as a PPPoE or DHCP client </A> <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>-if you say NAT set to 'any any' are you using any zone to any zone? (or IP addresses)</P> <P>&nbsp;&nbsp;&nbsp; I would strongly recommend setting trust to untrust with source nat bound to your external interface</P> <P>&nbsp;</P> <P>-did you add routes to the Virtual router to account for the subnets behind the cisco ?</P> <P>&nbsp;</P> <P>-the external interface will not be pingable until you add a management profile. for an external interface this is preferable</P> <UL> <LI>it makes you stealthy and minimizes attacks against your external interface</LI> <LI>it can get messy to make that work because you will need a nat rule specificlly to be able to ping your external interface, the default rule creates a LAND&nbsp; attack because the source will be identical to the destination</LI> </UL> Tue, 07 Mar 2017 08:27:39 GMT https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146340#M49174 reaper 2017-03-07T08:27:39Z https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146382#M49180 <P>Just reading over what you are describing I would venture to guess that you need to to two things that reaper suggusted already to make this work.</P><P>1) Have you taken into account the routing table on the Virtual Router? If the Palo Alto doesn't know about the subnet you're going to need to tell it where to send the traffic. For example, since I have everything routing to a pair of cores I would need to put the subnets that I'm using, set the interface, and then I give it a next hop value of the core. I imagine that you have to setup something similar.</P><P>2) The Management profile needs to be created, not a major deal and there are plenty of articles on how to do it, but by default you would never be able to ping an interface right out of the box.&nbsp;</P> Tue, 07 Mar 2017 13:48:32 GMT https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146382#M49180 BPry 2017-03-07T13:48:32Z https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146535#M49223 <P>Thank you all for you input.&nbsp; I will look over your responses later today and provide more info as well.</P> Tue, 07 Mar 2017 21:39:18 GMT https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/146535#M49223 DRobinson_TIC 2017-03-07T21:39:18Z https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/147181#M49328 <P>Hi All,</P><P>Sorry for the delay on responding but I can really properly test until tomorrow morning as my daughter needs the Internet available for online school.&nbsp; I will keep you posted and follow up tomorrow.</P><P>Thanks for your patience,</P><P>Dan</P> Sat, 11 Mar 2017 01:23:17 GMT https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/147181#M49328 DRobinson_TIC 2017-03-11T01:23:17Z https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/147228#M49347 <P>So, I finally had some time to check into this and it may have been the routing table issue on the PA-200.&nbsp; So to simplify things, I enabled RIP (LOL, I know) but for the time being it is now working and all my wired/wireless clients are able to get out to the Internet.&nbsp; So now, I just have to migrate my policies from the ASA to the PA-200.</P><P>&nbsp;</P><P>Thanks again for all of your input.</P><P>&nbsp;</P><P>Dan</P><P>&nbsp;</P> Sat, 11 Mar 2017 19:26:30 GMT https://live.paloaltonetworks.com/t5/general-topics/new-to-palo-alto-firewalls/m-p/147228#M49347 DRobinson_TIC 2017-03-11T19:26:30Z